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DETAILED ACTION 

1. Claims 1-27 are pending. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 6-29- 
2009 has been entered. 

Response to Arguments 

3. Applicant's arguments filed 6-29-2009 have been fully considered but they are 
not persuasive. Regarding Applicant's argument that Linnakangas does not teach the 
intermediate computer uses the same secure connection without establishing a new 
secure connection and without involving the second computer. Linnakangas teaches an 
intermediate computer (IP forwarder) that receives packets and forwards the packets to 
their destination using a secure association (SA) (See paragraph 8, lines 1-5; wherein 
using the same secure association, is using the same secure connection). 

Regarding Applicant's argument that there is no secure connection between local 
host 5 and router 2 in Linnakangas. Linnakangas teaches a method for providing 
Internet Protocol Security (IPSec) for communicating over un-trusted networks such as 
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the Internet 3 (See par.'s 1 & 2). Local host 5 and router 2 are both on a corporate 
Local Area Network (LAN) 1 (See par. 24, lines 1-3). Providing a secure connection 
between nodes on a private LAN is inherent and discussing such security would be 
repetitive. Linnakangas details the processing that goes on when traffic traverses the 
Internet, such as traffic between router 2 and remote host 4 (See par. 24, lines 3-8). 
While traffic between router 2 and remote host 4 is discussed in detail in Linnakangas, 
the destination of the traffic sent from remote host 4, is local host 5 (See par. 24, lines 
6-7). 

Regarding Applicant's argument that Linnakangas does not teach a secure 
connection extending between the source address of the first computer as a first end 
point and a destination address of the second computer as a second end point of the 
secure connection. Linnakangas teaches that the establishment of a secure connection 
between a first end point and a second end point, wherein both end points are user 
terminals (See par. 5, lines 1-6). Linnakangas further teaches that the intermediate 
computer (or IP forwarder) receives packets from a source and forwards them to their 
destination, over a secure association (See par. 8, lines 1-5). 

Regarding Applicant's argument that there is no rationale for combining 
Linnakangas and Applicant's Admitted Prior Art (AAPA). Both Linnakangas and AAPA 
deal with networking and providing secure connections between nodes. One of the 
most important factors that has shaped the computer and networking industry is 
compatibility. Allowing for different computers, or different networks, to communicate 
with each other is always at the forefront of designers' minds. Thus, adding flexibility by 
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allowing different networks to communicate is proper motivation for combining these 
related references. 

Regarding Applicant's argument that there is no rationale for combining 
Linnakangas and Sandhu. Both Linnakangas and Sandhu deal with providing for 
secure communications over the Internet. Since very sensitive information can be 
passed over an un-trusted network such as the Internet, engineers are always looking 
for ways to beef-up security, and make it harder for hackers to intercept their Internet 
traffic. Sandhu provides an additional layer of security that can be used in the system of 
Linnakangas to make it harder for hackers to intercept and decode Internet traffic. 
Thus, sufficient motivation exists to combine Sandhu with Linnakangas. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

1. Claims 1-5, 7-10, 22-24, 26 & 27 are rejected under 35 U.S.C. 102(e) as being 
anticipated by U.S. Patent Application Publication No. 2001/0047487 to Linnakangas, et 



al. (Linnakangas). 
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Regarding claim 1 , Linnakangas teaches a method for secure forwarding of a message 
from a first computer to a second computer via an intermediate computer in a 
telecommunication network(See paragraph 24, lines 4-8; wherein the local host 5 is the 
first computer, remote host 4 is the second computer, and router 2 is the intermediate 
computer), comprising: establishing a secure connection between the first computer and 
the second computer via the intermediate computer (See par. 24, lines 4-1 1 ; wherein 
message formation is inherent in "communication" and "exchanging user generated 
traffic"), the secure connection extending between a source address of the first 
computer as a first end point and a destination address of the second computer as a 
second end point of the secure connection (See par. 8, lines 1-5; wherein the 
destination of the packets is the second computer) in the first computer, forming a 
secure message by giving the secure message a first unique identity and a first 
destination address to the intermediate computer (See par.'s 4 & 24; wherein the SPI is 
the unique identity, and the header inherently includes the destination address), sending 
the secure message from the first computer to the intermediate computer (See par. 24, 
lines 4-6), the intermediate computer receiving the secure message and performing a 
translation by using the first unique identity to find a second destination address to the 
second computer, (See par.'s 4 & 24; wherein a router that is able to perform IPSec and 
IKE translation, inherently includes a translation table), the intermediate computer 
substituting the first destination address with the second destination address to the 
second computer (See par.'s 4 & 24; wherein address substitution is a standard part of 
IPSec processing and IKE translation), the intermediate computer substituting the first 
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unique identity with a second unique identity of the secure connection without 
establishing a new secure connection and without involving the second computer, (See 
par.'s 4 & 24; wherein generating and substituting SPI's is a standard part of IPSec 
processing and IKE translation; and, par. 8, lines 1-5; wherein a secure association, is 
the secure connection), and the intermediate computer forwarding the secure message 
with the second destination address and the second unique identity to the second 
computer in the secure connection (See par. 24, line 11). 

2. Regarding claim 2, Linnakangas discloses forming the secure message in step b) 
by using an IPSec connection between the first computer and the second computer 
(See par. 24, lines 4-7). 

3. Regarding claim 3, Linnakangas discloses performing a secure forwarding of the 
message by making use of SSL or TLS protocols (See par. 24, lines 4-7; wherein using 
a secure socket layer (SSL) is inherent in IPSec). 

4. Regarding claim 4, Linnakangas discloses manually performing a preceding 
distribution of keys to components for forming the IPSec connection (See par. 40, lines 
8-12; wherein manual distribution occurs when the IKE module is responding to a 
request). 

5. Regarding claim 5, Linnakangas discloses performing a preceding distribution of 
keys for forming the IPSec connection by an automated key exchange protocol (See 
par. 40, lines 8-12; wherein automated key exchange occurs when the IKE module 
initiates negotiations). 
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6. Regarding claim 7, Linnakangas teaches sending the message that is sent from 
the first computer as a packet that contains message data, an inner IP header 
containing the actual sender and receiver addresses, an outer IP header containing the 
addresses of the first computer and the intermediate computer (See par. 3, lines 1-6). 

7. Regarding claim 8, Linnakangas teaches the IPSec connection being one or 
more security associations (SA) and the unique identity being one or more SPI values 
(See par. 4, lines 5-14). 

8. Regarding claim 9, Linnakangas teaches performing the matching in step d) 

by using a translation table stored at the intermediate computer (See par. 31 , lines 1-6; 
wherein the IP forwarder module is part of the intermediate computer). 

9. Regarding claim 10, Linnakangas teaches changing both the address and 
the SPI-value by the intermediate computer (See par. 24; wherein IPSec includes 
replacing addresses in accordance with the translation tables, and assigning a new SPI 
value to every received packet). 

10. Regarding claim 22, Linnakangas teaches a telecommunication network for 
secure forwarding of messages, comprising: a first computer, a second computer and 
an intermediate computer, the first and the second computers having a secure 
connection therebetween via the intermediate computer (See par. 24, lines 1-15; 
wherein local host 5 is the first computer, remote host 4 is the second computer, and 
router 2 is the intermediate computer), the secure connection having a source address 
of the first computer as a first end point and a destination address of the second 
computer as a second end point (See par.'s 5, lines 1-6, and par. 8, lines 1-5), the first 
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and the second computers having means for performing an IPSec processing, the 
intermediate computer having translation means for using translation tables to perform 
IPSec and IKE translation (See par. 14, lines 1-5) and for changing a destination 
address of the intermediate computer of a secure message to a destination address of 
the second computer, and the intermediate computer having means for forwarding the 
secure message received from the first computer to the second computer in the secure 
connection (See par. 8, lines 1-5). 

1 1 . Regarding claim 23, Linnakangas teaches the translation table for IPSec 
translation has IP addresses of the intermediate computer to be matched with IP 
addresses of the second computer (See par. 24, lines 4-6; wherein the router inherently 
has translation tables to perform IPSec). 

12. Regarding claim 24, Linnakangas teaches the translation tables for IKE 
translation consists of two partitions, one for the communication between the first 
computer and the intermediate computer and another for the communication between 
the intermediate computer and the second computer (See par. 24, lines 4-8; wherein 
the router (or intermediate computer) inherently includes at least two translation tables 
(or partitions), since one translation table is required for each IPSec connection, and 
there are at least two IPSec connections). 

13. Regarding claim 26, Linnakangas teaches another translation table for IKE 
translation containing fields for matching a given user to a given second computer (See 
par. 24, lines 8-11; wherein each remote host must establish a new secure connection, 
which includes a new translation table). 
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14. Regarding claim 27, this claim recites a network for carrying out the method of 
claim 1, and is rejected for the same reasons. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

15. Claims 6, 11-14 & 20-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Linnakangas, as applied to claim 1 above, in view of Applicant's 
Admitted Prior Art (AAPA). 

16. Regarding claim 6, Linnakangas teaches the invention as described in claim 5. 
Linnakangas does not teach performing the automated key exchange protocol used for 
the preceding distribution of keys for forming the IP Sec connection by means of a 
modified IKE key exchange protocol between the first computer and the intermediate 
computer and by means of a standard IKE key exchange protocol between the 
intermediate computer and the second computer. However, AAPA teaches a 
modified IKE key exchange protocol between the first computer and the intermediate 
computer (See page 8, lines 27-29; wherein the key exchange is modified to support 
NAT traversal) and a standard IKE key exchange protocol between the intermediate 
computer and the second computer (See p. 8, lines 29-32). 
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Using the features of AAPA in the system of Linnakangas would have added 
flexibility by allowing different networks to connect to the system. Therefore, it would 
have been obvious to one of ordinary skill in the art, at the time of the invention, to 
combine the teachings of AAPA and Linnakangas. 

17. Regarding claim 1 1 , Linnakangas teaches the invention as described in claim 1 . 
Linnakangas does not teach the first computer being a mobile terminal, so that the 
mobility is enabled by modifying the translation table at the intermediate 

computer. However, AAPA teaches this limitation (See p. 7, lines 10-16). 

Using the features of AAPA in the system of Linnakangas would have broadened 
the appeal and applicability of the system by allowing mobile units to connect to the 
network. Therefore, it would have been obvious to one of ordinary skill in the art, at the 
time of the invention, to combine the teachings of AAPA and Linnakangas. 

18. Regarding claim 12, Linnakangas, in view of AAPA, teach the invention as 
described in claim 1 1 . Linnakangas further teaches performing the modification of the 
translation tables by sending a request for registration of the new address from the first 
computer to the intermediate computer (See p. 3, par.'s 46-51). 

19. Regarding claim 13, Linnakangas, in view of AAPA, teach the invention as 
described in claim 12. Linnakangas further teaches sending a reply to the request for 
registration from the intermediate computer to the first computer (See p. 3, par. 50). 

20. Regarding claim 14, Linnakangas, in view of AAPA, teach the invention as 
described in claim 12. Linnakangas further teaches authenticating or encrypting by 
IPSec the request for registration and/or reply (See p. 3, par. 62). 
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21 . Regarding claim 20, Linnakangas teaches the invention as described in claim 1 . 
Linnakangas does not teach sending the secure message by using an IPSec transport 
mode. However, AAPA teaches this limitation (See p. 4, lines 14-19). 

Using the features of AAPA in the system of Linnakangas would have added 
improved security to the system. Therefore, it would have been obvious to one of 
ordinary skill in the art, at the time of the invention, to combine the teachings of AAPA 
and Linnakangas. 

22. Regarding claim 21 , Linnakangas teaches the invention as described in claim 1 . 
Linnakangas does not teach sending the secure message by using an IPSec tunnel 
mode. However, AAPA teaches this limitation (See p. 4, lines 21-29). 

Using the features of AAPA in the system of Linnakangas would have added 
improved security and flexibility to the system. Therefore, it would have been obvious to 
one of ordinary skill in the art, at the time of the invention, to combine the teachings of 
AAPA and Linnakangas. 

23. Claims 1 5-1 9 & 25 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Linnakangas, as applied to claims 4 & 24 above, in view of U.S. Patent Number 
6,985,953 issued to Sandhu, et al. (Sandhu). 

24. Regarding claim 15, Linnakangas teaches the invention as described in claim 4. 
Linnakangas further teaches establishing the key distribution for the secure connections 
by establishing an IKE protocol translation table, and using the translation table to 
modify IP addresses of IKE packets in the intermediate computer (See par. 24, lines 4- 
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6). Linnakangas does not teach using the translation table to modify cookie values of 
IKE packets in the intermediate computer. However, Sandhu teaches this limitation 
(See col. 7, line 55 to col. 8, line 19; wherein the KDC is the intermediate computer). 

Using the features of Sandhu in the system of Linnakangas would have added 
another layer of security within the secure connection. Therefore, it would have been 
obvious to one of ordinary skill, at the time of the invention, to combine the teachings of 
Sandhu and Linnakangas. 

25. Regarding claim 16, Linnakangas in view of Sandhu teach the invention as 
described in claim 15. Linnakangas does not teach establishing the key exchange 
distribution by: generating an initiator cookie and sending a zero responder cookie to 
the second computer, generating a responder cookie in the second computer, and 
establishing a mapping between IKE cookie values in the intermediate computer. 
However, Sandhu teaches generating an initiator cookie and sending a zero responder 
cookie to the second computer (See col. 8, lines 41-47; wherein the Authenticator is the 
initiator cookie), generating a responder cookie in the second computer (See col. 8, 
lines 41-47; wherein Bob's response is the responder cookie), and establishing a 
mapping between IKE cookie values in the intermediate computer (See col. 8, lines 49- 
51 ; wherein a mapping is required for authentication). 

Using the features of Sandhu in the system of Linnakangas would have 
increased the number of security features available in the system. Therefore, it would 
have been obvious to one of ordinary skill in the art, at the time of the invention, to 
combine the teachings of Sandhu and Linnakangas. 
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26. Regarding claim 17, Linnakangas in view of Sandhu teach the invention as is 
described in claim 15. Linnakangas further teaches modifying a IKE protocol between 
the first computer and the intermediate computer by transmitting the IKE keys from the 
first computer to the intermediate computer in order to decrypt and modify IKE packets 
(See par.'s 4 & 24; wherein the remote host 4 is an IPSec node that sends the IKE keys, 
and equates to applicant's first computer). 

27. Regarding claim 18, Linnakangas in view of Sandhu teach the invention as is 
described in claim 15. Linnakangas further teaches carrying out the modification of the 
IKE packets by the first computer with the intermediate computer requesting such 
modifications (See par.'s 41-45; wherein the IKE module is in the intermediate 
computer). 

28. Regarding claim 19, Linnakangas in view of Sandhu teach the invention as 
described in claim 1 7. Linnakangas further teaches defining the address so that the first 
computer is identified for the second computer by the intermediate computer by means 
of an IP address taken from a pool of user IP addresses when forming the translation 
table (See par.'s 56 & 57). 

29. Regarding claim 25, Linnakangas teaches the invention as described in claim 24. 
Linnakangas further teaches both partitions of the mapping table for IKE translation 
contains translation fields for a source IP address and a destination IP address between 
respective computers (See par. 24, lines 4-8; wherein source and destination addresses 
are inherent in IPSec). Linnakangas does not teach the mapping table for IKE 
translation contains translation fields for initiator and responder cookies between 
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respective computers. However, Sandhu teaches a mapping table that contains 
translation fields for initiator and responder cookies between respective computers (See 
col. 8, lines 41-51 ; wherein the authenticator is the initiator cookie and Bob's response 
is the responder cookie). 

Using the features of Sandhu in the system of Linnakangas would have provided 
increased security and insured that messages where transmitted to the correct 
destination. Therefore, it would have been obvious to one of ordinary skill in the art, at 
the time of the invention, to combine the teachings of Sandhu and Linnakangas. 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jeffrey Seto whose telephone number is (571)270-7198. 
The examiner can normally be reached on Monday thru Thursday and alt. Fridays, 9:30 
AM-7 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Joseph E. Avellino can be reached on (571) 272-3905. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



JKS 

9/8/2009 

/Joseph E. Avellino/ 

Supervisory Patent Examiner, Art Unit 2458 



